Microsoft Entra Integration

Integrate Digital ID with Microsoft Entra ID (Azure AD) for single sign-on and employee synchronisation.

Overview

Microsoft Entra integration provides:

  • Single Sign-On (SSO): Users can log in with their Microsoft 365 accounts
  • Employee Synchronisation: Automatically sync employees from Microsoft 365
  • Seamless Integration: Works with existing Office 365 infrastructure

Prerequisites

  • Microsoft 365 subscription with Azure AD
  • Admin access to Azure AD
  • Ability to register applications in Azure AD

Setting Up Entra Integration

Step 1: Register Application in Azure AD

  1. Log in to the Azure Portal
  2. Go to "Azure Active Directory" → "App registrations"
  3. Click "New registration"
  4. Enter application name: "Digital ID"
  5. Set redirect URI: https://lightslategrey-weasel-963972.hostingersite.com/entra-login.php
  6. Click "Register"

Step 2: Configure API Permissions

  1. In your app registration, go to "API permissions"
  2. Click "Add a permission"
  3. Select "Microsoft Graph"
  4. Add the following permissions:
    • For SSO Login (Delegated Permissions):
      • User.Read - Read user profile
      • openid - Sign in and read user profile
      • profile - View user's basic profile
      • email - View user's email address
    • For User Synchronisation (Application Permissions):
      • User.Read.All - Read all users' profiles (requires admin consent)
  5. Click "Add permissions"
  6. Important: For User.Read.All, click "Grant admin consent" to enable user synchronisation

Step 3: Create Client Secret

  1. Go to "Certificates & secrets"
  2. Click "New client secret"
  3. Enter description and expiration
  4. Click "Add"
  5. Copy the secret value immediately - you won't be able to see it again

Step 4: Configure in Digital ID

  1. Log in as organisation administrator
  2. Go to "Entra Settings" in the admin menu
  3. Enter your Tenant ID (found in Azure AD overview)
  4. Enter your Client ID (Application ID from app registration)
  5. Enter your Client Secret (from Step 3)
  6. Enable the integration
  7. Save settings

Security

Keep your Client Secret secure. Never share it or commit it to version control. Store it in your environment variables.

Using Entra Login

Once configured, users can log in with Microsoft:

  1. Go to the login page
  2. Click "Sign in with Microsoft"
  3. Authenticate with Microsoft 365 credentials
  4. You'll be redirected back to Digital ID

User Synchronisation

When Microsoft Entra integration is enabled, organisation administrators can synchronise users from Microsoft 365:

  • Bulk Import: Fetch all active users from Microsoft Entra ID
  • Automatic Matching: Users are matched by email address
  • Create or Update: New users are created, existing users are updated
  • Employee Profiles: Optionally create employee profiles for users with employee IDs
  • Same Process: Uses the same import logic as CSV/JSON import for consistency

How to Sync Users

  1. Go to Organisation → Microsoft 365 SSO Settings
  2. Ensure Entra integration is enabled
  3. Click "Sync Users from Microsoft Entra ID"
  4. Optionally check "Also create employee profiles" if users have employee IDs
  5. Review the sync results and any warnings

Required Permissions

For user synchronisation to work, your Azure AD app registration needs User.Read.All application permission (not delegated). Admin consent is required for this permission.

Benefits

User synchronisation automates the import process by pulling data directly from Microsoft Entra ID, eliminating the need to export CSV files manually. It uses the same reliable import system as manual CSV/JSON imports.

Troubleshooting

Common Issues

  • Redirect URI mismatch: Ensure the redirect URI in Azure AD matches exactly
  • Permissions not granted: Admin consent may be required for API permissions
  • Invalid client secret: Check that the secret hasn't expired
  • Tenant ID incorrect: Verify the Tenant ID in Azure AD overview